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Abstract 


This document provides generic rules to enable the forwarding of an IPv6 over Low-Power 
Wireless Personal Area Network (6LOWPAN) fragment over a route-over network. Forwarding 
fragments can improve both end-to-end latency and reliability as well as reduce the buffer 
requirements in intermediate nodes; it may be implemented using RFC 4944 and Virtual 
Reassembly Buffers (VRBs). 
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This document is a product of the Internet Engineering Task Force (IETF). It represents the 
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publication by the Internet Engineering Steering Group (IESG). Further information on Internet 
Standards is available in Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc8930. 
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1. Introduction 


November 2020 


The original 6LoWPAN fragmentation is defined in [RFC4944] for use over a single Layer 3 hop, 
though multiple Layer 2 hops in a mesh-under network is also possible, and was not modified by 
the update in [RFC6282]. 6LoWPAN operations including fragmentation depend on a link-layer 
security that prevents any rogue access to the network. 


In a route-over 6LOWPAN network, an IP packet is expected to be reassembled at each 
intermediate hop, uncompressed, pushed to Layer 3 to be routed, and then compressed and 
fragmented again. This document introduces an alternate approach called 6LOWPAN Fragment 
Forwarding (6LFF) whereby an intermediate node forwards a fragment (or the bulk thereof, 
MTU permitting) without reassembling if the next hop is a similar 6LOWPAN link. The routing 
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decision is made on the first fragment of the datagram, which has the IPv6 routing information. 
The first fragment is forwarded immediately, and a state is stored to enable forwarding the next 
fragments along the same path. 


Done right, 6LoWPAN Fragment Forwarding techniques lead to more streamlined operations, 
less buffer bloat, and lower latency. But it may be wasteful when fragments are missing, leading 
to locked resources and low throughput, and it may be misused to the point that the end-to-end 
latency of one packet falls behind that of per-hop reassembly. 


This specification provides a generic overview of 6LFF, discusses advantages and caveats, and 
introduces a particular 6LFF technique called "Virtual Reassembly Buffer" (VRB) that can be used 
while retaining the message formats defined in [RFC4944]. Basic recommendations such as the 
insertion of an inter-frame gap between fragments are provided to avoid the most typical 
caveats. 


2. Terminology 


2.1. Requirements Language 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 


2.2. Background 


Past experience with fragmentation, e.g., as described in "IPv4 Reassembly Errors at High Data 
Rates" [RFC4963] and references therein, has shown that misassociated or lost fragments can 
lead to poor network behavior and, occasionally, trouble at the application layer. That 
experience led to the definition of the "Path MTU Discovery for IP version 6" [RFC8201] protocol 
that limits fragmentation over the Internet. 


"IP Fragmentation Considered Fragile" [RFC8900] discusses security threats that are linked to 
using IP fragmentation. The 6LOWPAN fragmentation takes place underneath the IP Layer, but 
some issues described there may still apply to 6LoWPAN fragments (as discussed in further 
details in Section 7). 


Readers are expected to be familiar with all the terms and concepts that are discussed in "IPv6 
over Low-Power Wireless Personal Area Networks (6LOWPANSs): Overview, Assumptions, 
Problem Statement, and Goals" [RFC4919] and "Transmission of IPv6 Packets over IEEE 802.15.4 
Networks" [RFC4944]. 


"Multiprotocol Label Switching Architecture" [RFC3031] states that with MPLS, 
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packets are "labeled" before they are forwarded. At subsequent hops, there is no further 
analysis of the packet's network layer header. Rather, the label is used as an index into a 
table which specifies the next hop, and a new label. 


The MPLS technique is leveraged in the present specification to forward fragments that actually 
do not have a network-layer header, since the fragmentation occurs below IP. 


2.3. New Terms 


This specification uses the following terms: 


6LOWPAN Fragment Forwarding Endpoints: The 6LFF endpoints are the first and last nodes in 
an unbroken string of 6LFF nodes. They are also the only points where the fragmentation and 
reassembly operations take place. 


Compressed Form: This specification uses the generic term "compressed form" to refer to the 
format of a datagram after the action of [RFC6282] and possibly [RFC8138] for Routing 
Protocol for Low-Power and Lossy Network (RPL) [RFC6550] artifacts. 


Datagram_Size: The size of the datagram in its compressed form before it is fragmented. 


Datagram_Tag: An identifier of a datagram that is locally unique to the Layer 2 sender. 
Associated with the link-layer address of the sender, this becomes a globally unique identifier 
for the datagram within the duration of its transmission. 


Fragment_Offset: The offset of a fragment of a datagram in its compressed form. 


3. Overview of 6LOWPAN Fragmentation 


Figure 1 illustrates 6LoWPAN fragmentation. We assume node A forwards a packet to node B, 
possibly as part of a multi-hop route between 6LOWPAN Fragment Forwarding endpoints, which 
may be neither A nor B, though 6LOWPAN may compress the IP header better when they are 
both the 6LFF and the 6LoWPAN compression endpoints. 
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+---+ +---+ 
z= A e >| B === 
+---+ +---+ 
# (frag. 5) 
123456789 123456789 
+--------- + +--------- + 
l # ###| |### # l 
+--------- + +--------- + 
outgoing incoming 
fragmentation reassembly 
buffer buffer 
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Figure 1: Fragmentation at Node A, and Reassembly at Node B 


Typically, node A starts with an uncompressed packet and compacts the IPv6 packet using the 
header compression mechanism defined in [RFC6282]. If the resulting 6LOWPAN packet does not 
fit into a single link-layer frame, node A's 6LOWPAN sub-layer cuts it into multiple 6LoWPAN 
fragments, which it transmits as separate link-layer frames to node B. Node B's 6LOWPAN sub- 
layer reassembles these fragments, inflates the compressed header fields back to the original 
IPv6 header, and hands over the full IPv6 packet to its IPv6 layer. 


In Figure 1, a packet forwarded by node A to node B is cut into nine fragments, numbered 1 to 9 
as follows: 


e Each fragment is represented by the '#' symbol. 

e Node A has sent fragments 1, 2, 3, 5, and 6 to node B. 

e Node B has received fragments 1, 2, 3, and 6 from node A. 

e Fragment 5 is still being transmitted at the link layer from node A to node B. 


The reassembly buffer for 6LoWPAN is indexed in node B by: 


e a unique identifier of node A (e.g., node A's link-layer address). 
e the Datagram_Tag chosen by node A for this fragmented datagram. 


Because it may be hard for node B to correlate all possible link-layer addresses that node A may 
use (e.g., short versus long addresses), node A must use the same link-layer address to send all 
the fragments of the same datagram to node B. 


Conceptually, the reassembly buffer in node B contains: 


e a Datagram_Tag as received in the incoming fragments, associated with the interface and the 
link-layer address of node A for which the received Datagram_Tag is unique, 


e the actual packet data from the fragments received so far, in a form that makes it possible to 
detect when the whole packet has been received and can be processed or forwarded, 


e a state indicating the fragments already received, 
e a Datagram_Size, and 
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e a timer that allows discarding a partially reassembled packet after some timeout. 


A fragmentation header is added to each fragment; it indicates what portion of the packet that 
fragment corresponds to. Section 5.3 of [RFC4944] defines the format of the header for the first 
and subsequent fragments. All fragments are tagged with a 16-bit "Datagram_Tag", used to 
identify which packet each fragment belongs to. Each datagram can be uniquely identified by the 
sender link-layer addresses of the frame that carries it and the Datagram_Tag that the sender 
allocated for this datagram. [RFC4944] also mandates that the first fragment is sent first and with 
a particular format that is different than that of the next fragments. Each fragment except for the 
first one can be identified within its datagram by the datagram-offset. 


Node B's typical behavior, per [RFC4944], is as follows. Upon receiving a fragment from node A 
with a Datagram_Tag previously unseen from node A, node B allocates a buffer large enough to 
hold the entire packet. The length of the packet is indicated in each fragment (the Datagram_Size 
field), so node B can allocate the buffer even if the fragment it receives first is not the first 
fragment. As fragments come in, node B fills the buffer. When all fragments have been received, 
node B inflates the compressed header fields into an IPv6 header and hands the resulting IPv6 
packet to the IPv6 layer, which performs the route lookup. This behavior typically results in per- 
hop fragmentation and reassembly. That is, the packet is fully reassembled, then (re-)fragmented, 
at every hop. 


4. Limitations of Per-Hop Fragmentation and Reassembly 


There are at least two limitations to doing per-hop fragmentation and reassembly. See [ARTICLE] 
for detailed simulation results on both limitations. 


4.1. Latency 


When reassembling, a node needs to wait for all the fragments to be received before being able 
to re-form the IPv6 packet and possibly forwarding it to the next hop. This repeats at every hop. 


This may result in increased end-to-end latency compared to a case where each fragment is 


forwarded without per-hop reassembly. 


4.2. Memory Management and Reliability 


Constrained nodes have limited memory. Assuming a reassembly buffer for a 6LoWPAN MTU of 
1280 bytes as defined in Section 4 of [RFC4944], typical nodes only have enough memory for 1-3 
reassembly buffers. 


To illustrate this, we use the topology from Figure 2, where nodes A, B, C, and D all send packets 
through node E. We further assume that node E's memory can only hold 3 reassembly buffers. 
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+---+ +---+ 
E >| B | 
+---+ +---+\ 
\ 
+---+ +---+ 
Ba 
+---+ +---+ 
/ 
/ 
+---+ +---+ 
E >| D | 
+---+ +---+ 


Figure 2: Illustrating the Memory Management Issue 


When nodes A, B, and C concurrently send fragmented packets, all three reassembly buffers in 
node E are occupied. If, at that moment, node D also sends a fragmented packet, node E has no 
option but to drop one of the packets, lowering end-to-end reliability. 


5. Forwarding Fragments 


A 6LOWPAN Fragment Forwarding technique makes the routing decision on the first fragment, 
which is always the one with the IPv6 address of the destination. Upon receiving a first fragment, 
a forwarding node (e.g., node B in an A->B->C sequence) that does fragment forwarding MUST 
attempt to create a state and forward the fragment. This is an atomic operation, and if the first 
fragment cannot be forwarded, then the state MUST be removed. 


Since the Datagram_Tag is uniquely associated with the source link-layer address of the 
fragment, the forwarding node MUST assign a new Datagram_Tag from its own namespace for 
the next hop and rewrite the fragment header of each fragment with that Datagram_Tag. 


When a forwarding node receives a fragment other than a first fragment, it MUST look up state 
based on the source link-layer address and the Datagram_Tag in the received fragment. If no 
such state is found, the fragment MUST be dropped; otherwise, the fragment MUST be forwarded 
using the information in the state found. 


Compared to Section 3, the conceptual reassembly buffer in node B now contains the following, 
assuming that node B is neither the source nor the final destination: 


e a Datagram_Tag as received in the incoming fragments, associated with the interface and the 
link-layer address of node A for which the received Datagram_Tag is unique. 


e the link-layer address that node B uses as the source to forward the fragments. 


e the interface and the link-layer address of the next-hop C that is resolved on the first 
fragment. 


e a Datagram_Tag that node B uniquely allocated for this datagram and that is used when 
forwarding the fragments of the datagram. 


e a buffer for the remainder of a previous fragment left to be sent. 
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e a timer that allows discarding the stale 6LFF state after some timeout. The duration of the 
timer should be longer than that which covers the reassembly at the receiving endpoint. 


A node that has not received the first fragment cannot forward the next fragments. This means 
that if node B receives a fragment, node A was in possession of the first fragment at some point. 
To keep the operation simple and consistent with [RFC4944], the first fragment MUST always be 
sent first. When that is done, if node B receives a fragment that is not the first and for which it 
has no state, then node B treats it as an error and refrains from creating a state or attempting to 
forward. This also means that node A should perform all its possible retries on the first fragment 
before it attempts to send the next fragments, and that it should abort the datagram and release 
its state if it fails to send the first fragment. 


Fragment forwarding obviates some of the benefits of the 6LoWPAN header compression 
[RFC6282] in intermediate hops. In return, the memory used to store the packet is distributed 
along the path, which limits the buffer-bloat effect. Multiple fragments may progress 
simultaneously along the network as long as they do not interfere. An associated caveat is that on 
a half-duplex radio, if node A sends the next fragment at the same time as node B forwards the 
previous fragment to node C down the path, then node B will miss it. If node C forwards the 
previous fragment to node D at the same time and on the same frequency as node A sends the 
next fragment to node B, this may result in a hidden terminal problem. In that case, the 
transmission from node C interferes at node B with that from node A, unbeknownst to node A. 
Consecutive fragments of a same datagram MUST be separated with an inter-frame gap that 
allows one fragment to progress beyond the next hop and beyond the interference domain 
before the next shows up. This can be achieved by interleaving packets or fragments sent via 
different next-hop routers. 


6. Virtual Reassembly Buffer (VRB) Implementation 


The VRB [LWIG-VRB] is a particular incarnation of a 6LFF that can be implemented without a 
change to [RFC4944]. 


VRB overcomes the limitations listed in Section 4. Nodes do not wait for the last fragment before 
forwarding, reducing end-to-end latency. Similarly, the memory footprint of VRB is just the VRB 
table, reducing the packet drop probability significantly. 


However, there are other caveats: 


Non-zero Packet Drop Probability: The abstract data in a VRB table entry contains at a 
minimum the link-layer address of the predecessor and the successor, the Datagram_Tag used 
by the predecessor, and the local Datagram_Tag that this node will swap with it. The VRB may 
need to store a few octets from the last fragment that may not have fit within MTU and that 
will be prepended to the next fragment. This yields a small footprint that is 2 orders of 
magnitude smaller, compared to needing a 1280-byte reassembly buffer for each packet. Yet, 
the size of the VRB table necessarily remains finite. In the extreme case where a node is 
required to concurrently forward more packets than it has entries in its VRB table, packets 
are dropped. 
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No Fragment Recovery: There isno mechanism in VRB for the node that reassembles a packet 
to request a single missing fragment. Dropping a fragment requires the whole packet to be 
resent. This causes unnecessary traffic, as fragments are forwarded even when the 
destination node can never construct the original IPv6 packet. 


No Per-Fragment Routing: All subsequent fragments follow the same sequence of hops from the 
source to the destination node as the first fragment, because the IP header is required in 
order to route the fragment and is only present in the first fragment. A side effect is that the 
first fragment must always be forwarded first. 


The severity and occurrence of these caveats depend on the link layer used. Whether they are 
acceptable depends entirely on the requirements the application places on the network. 


If the caveats are present and not acceptable for the application, alternative specifications may 
define new protocols to overcome them. One example is [RFC8931], which specifies a 6LFF 
technique that allows the end-to-end fragment recovery between the 6LFF endpoints. 


7. Security Considerations 


An attacker can perform a Denial-of-Service (DoS) attack on a node implementing VRB by 
generating a large number of bogus "fragment 1" fragments without sending subsequent 
fragments. This causes the VRB table to fill up. Note that the VRB does not need to remember the 
full datagram as received so far but only possibly a few octets from the last fragment that could 
not fit in it. It is expected that an implementation protects itself to keep the number of VRBs 
within capacity, and that old VRBs are protected by a timer of a reasonable duration for the 
technology and destroyed upon timeout. 


Secure joining and the link-layer security that it sets up protects against those attacks from 
network outsiders. 


"IP Fragmentation Considered Fragile" [RFC8900] discusses security threats and other caveats 
that are linked to using IP fragmentation. The 6LOWPAN fragmentation takes place underneath 
the IP Layer, but some issues described there may still apply to 6LoWPAN fragments. 


e Overlapping fragment attacks are possible with 6LOWPAN fragments, but there is no known 
firewall operation that would work on 6LOWPAN fragments at the time of this writing, so the 
exposure is limited. An implementation of a firewall SHOULD NOT forward fragments but 
instead should recompose the IP packet, check it in the uncompressed form, and then 
forward it again as fragments if necessary. Overlapping fragments are acceptable as long as 
they contain the same payload. The firewall MUST drop the whole packet if overlapping 
fragments are encountered that result in different data at the same offset. 


e Resource-exhaustion attacks are certainly possible and a sensitive issue in a constrained 
network. An attacker can perform a DoS attack on a node implementing VRB by generating a 
large number of bogus first fragments without sending subsequent fragments. This causes 
the VRB table to fill up. When hop-by-hop reassembly is used, the same attack can be more 
damaging if the node allocates a full Datagram_Size for each bogus first fragment. With the 
VRB, the attack can be performed remotely on all nodes along a path, but each node suffers a 
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lesser hit. This is because the VRB does not need to remember the full datagram as received 
so far but only possibly a few octets from the last fragment that could not fit in it. An 
implementation MUST protect itself to keep the number of VRBs within capacity and to 
ensure that old VRBs are protected by a timer of a reasonable duration for the technology 
and destroyed upon timeout. 


e Attacks based on predictable fragment identification values are also possible but can be 
avoided. The Datagram_Tag SHOULD be assigned pseudorandomly in order to reduce the risk 
of such attacks. A larger size of the Datagram_Tag makes the guessing more difficult and 
reduces the chances of an accidental reuse while the original packet is still in flight, at the 
expense of more space in each frame. Nonetheless, some level of risk remains because an 
attacker that is able to authenticate to and send traffic on the network can guess a valid 
Datagram_Tag value, since there are only a limited number of possible values. 

e Evasion of Network Intrusion Detection Systems (NIDSs) leverages ambiguity in the 
reassembly of the fragment. This attack makes little sense in the context of this specification 
since the fragmentation happens within the Low-Power and Lossy Network (LLN), meaning 
that the intruder should already be inside to perform the attack. NIDS systems would 
probably not be installed within the LLN either but rather at a bottleneck at the exterior 
edge of the network. 


8. IANA Considerations 


This document has no IANA actions. 
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